Our View: Convenience has a darker side

Late last month, book retailer Barnes & Noble acknowledged that 63 of its stores, including three in Massachusetts, had been victims of a carefully orchestrated identity theft scheme that compromised the information of customers in nine states.

Comment

southcoasttoday.com

Writer

Posted Nov. 15, 2012 at 12:01 AM

Posted Nov. 15, 2012 at 12:01 AM

» Social News

Late last month, book retailer Barnes & Noble acknowledged that 63 of its stores, including three in Massachusetts, had been victims of a carefully orchestrated identity theft scheme that compromised the information of customers in nine states.

In some ways, the bookseller's case is nothing new; computer hackers have long targeted large businesses and their extensive customer databases, trolling around for important personal information that could be used to steal patrons' identities. But in other ways, this latest effort may reveal a new, and perhaps more frightening, aspect of the dangers of identity theft.

Unlike in previous cases where hackers pulled up information that retailers had on file, some suspect that this scheme involved infecting individual personal identification number, or PIN, pad machines. Barnes & Noble has declined to explain just how their machines became infected, but some believe that criminal agents swiped a bogus credit or debit card, transmitting a harmful program, or malware, to a particular machine. To the clerk, the swipe would appear only as a failed sale. Once installed, this program can essentially open an electronic door for would-be hackers, who could then access the company's computers so that they can retrieve the account numbers and passwords of every person who subsequently made purchases on an infected machine.

The approach is similar to another popular scam known as skimming. In this case, criminals attach a card reader on the outside of a legitimate device, such as an ATM. Unsuspecting customers insert their cards, which pass through the skimmer before entering the authorized device. The skimmer records the card information, which is later retrieved by thieves.

The very nature of how the deception may have been executed should send shivers up the spine of anyone who uses a plastic card anywhere. If someone can infect a PIN pad at a bookstore, why not a gas station, a grocery store, or any place where customers swipe their cards?

Barnes & Noble responded to the revelation by eliminating customer-based PIN pads; customers must now hand their cards to a cashier, who will swipe them through card readers mounted on the registers. This, Barnes & Noble asserts, is much more secure.

But in truth, how can they be so certain? If one person or network is crafty enough to create such malware and coordinate a multi-state scam involving dozens of stores, it seems more than a little likely that others could identify and exploit similar weaknesses in other operating systems, regardless of whether or not they are attached to a register.

The fact is that we have grown complacent in our use of credit and debit cards, placing our convenience above caution. The latest incident involving Barnes & Noble may not change people's attitudes in the short term, but there is the very real possibility that we may some day look back at this moment as a harbinger of things to come.